CSG: GroundRod Primer Course Review

On 04-05 February, “K” from Combat Studies Group (K@CSG) held a GroundRod Primer course in Austin, Texas. I had the opportunity to attend, and I encourage you to attend his courses, as well.

If this course is centered on two things, it’s problems and solutions. In a more technical sense: vulnerabilities and countermeasures. What is an adversary’s “attack surface”and how do we harden ourselves against that attack? Utilizing electronic means to communicate — whether that’s via the internet, a cellular network, or radio signals — opens us up to electronic surveillance (at a minimum) and possibly direct targeting to exploit our communications. As was discussed in the class, Gen. Michael Hayden (Ret.), who was the director at both CIA and NSA, famously quipped, “We [the US] kill people based on metadata.” Your cell phone number, its IMEI number, call times and duration (what’s referred to as “exposure”), and geolocation of those calls are all examples of metadata. Furthermore, your email address, IP address, and MAC address are metadata easily found via the internet. This metadata is associated to the caller or emailer, which is another data point in your pattern of life. With sufficient data points, analysts like myself can map out your pattern of life and begin to anticipate future activity. That’s a vulnerability, and it’s one that deserves a hard look. Luckily, K@CSG has developed some hardened platforms — the Sepio laptop, Verus cell phone, and Libertas tablet — which are countermeasures, and I’ll get to those later.

The instructor did a great job of explaining the vectors through which communications are targeted; and not just by state-sponsored entities like NSA and foreign intelligence services, but also by criminals. These attack vectors are inherent vulnerabilities. And if we don’t understand the way in which our communications are attacked, then our greatest vulnerability is ignorance. The very first countermeasure to that vulnerability is education, which is why I’m glad to have attended the GroundRod Primer course. I’m a reasonably tech savvy individual, and I learned quite a bit. Throughout the weekend, I saw lightbulbs come on as students were exposed to new information, and then made connections with applicability to their own lives. This course is for privacy conscious individuals who don’t want their personal information sold by third parties, as well as digital privacy advocates and individuals who travel or work in non-permissive environments. Remember: if the product is free (Gmail, Yahoo, etc.), then you are the product.

The instructor also taught about cryptocurrencies, their dangers and benefits, and how to use them anonymously. We understood its immediate use for bugout or escape and evasion (E&E) scenarios, because having a Bitcoin wallet on a burner phone or tablet means that you can access cash from anywhere in the world. And with the growing number of stores, kiyosks, and individual buyers and sellers; that means there’s a good chance that you can get access to cash anonymously in those types of scenarios. Digital cryptocurrency is certainly lighter than cash, silver, and gold, and also less susceptible to confiscation. For those who may be leery or skeptical, I’m sufficiently convinced that using a few guidelines, and with a few caveats, I can anonymously trade in Bitcoin and a host of other cryptocurrencies. For me, it’s a welcomed addition to E&E planning, and the instructor of this course will make sure that you understand its implications as well.

This course covers a lot about encryption. And perhaps one of the greatest benefits is having the instructor explain the reasoning behind why some products are better than others. There are a ton of options when it comes to encryption, and there’s a growing number of encryption apps for smart phones. Choosing one is not a panacea. Just having Signal or Wickr on your cell phone is not the silver bullet to your privacy concerns, because there are some caveats to their use. Additionally, there are encryption products still on the market — and some that are still quite popular — that have been proven to be unsecure, or to have bugs or backdoors. The instructor outlined to us those products and explained why we want to avoid using them. And on that note, encryption doesn’t mean that your communications are anonymous. You’re still exposing metadata, even with encrypted emails, and the instructor ensures that every student understands the principles and guidelines of using electronic communications in the most secure method feasibly possible. It doesn’t mean that you’re bulletproof; just that your privacy has a much greater advantage — and some would argue a near certainty of — withstanding state-sponsored and criminal hacking attempts.

This course covers a lot of information in a relatively short amount of time. After two days, every student walks away with more tools in their kit, and those with reasonable tech skills will find themselves with a more advanced understanding of how to make their electronic communications more secure. When you take this class, be sure to check out the Sepio laptop — I’m sold on it and will be ordering one shortly. Its operating system is Linux-based, so you’re already operating on a platform built for security. And when you begin to add additional layers of security, whether that’s TOR, TAILS, other anonymizing or spoofing tools, or encryption, then you’re going to have the hardware to be secure online. But regardless of your hardware decisions, everyone needs a software upgrade: that’s your brain, your knowledge, and the way you think about security.